According toRedTeam Pentesting, attackers can modify a JavaScript variable stored on the client side in a browser to bypass the authentication mechanism and download the configuration file, as well as the password hashes stored in it. However, there appears to be an even simpler way: the file can reportedly be downloaded without any authentication by entering the full URL in a browser.

Attackers can then crack the passwords, or upload a modified configuration file. RedTeam says that this is also possible without authentication using a trick: for instance, an attacker could insert a password hash and then use this password to log in later as an admin. All that's required for an attack to be successful is that the web interface is accessible; curl, wget or a browser are the only tools needed.

RedTeam also managed to decrypt the encrypted firmware using a known-plaintext attack. Zyxel released new firmware to fix the problems on 25 April.